Reasons no to use TSIG?

David Botham DBotham at
Wed Oct 6 15:43:00 UTC 2004

bind-users-bounce at wrote on 10/06/2004 06:59:09 AM:
> Hello everyone,
> I am exploring the possibilities TSIG offers; for the environment I work
> in TSIG seems fine, since it is easy to set up and offers a reasonable 
> of security from employees doing zone transfers or hammering my machines
> with recursive queries.
> And since I am about to use TSIG as widely as possible, I would like to 
> if there are any reasons not to use TSIG.
> I can think of just one: TSIG cannot be used to verify zone-content the 
> can. Also, regular queries don't get covered by this.

I do not consider the fact that TSIG can't verify zone content a check in 
the minus column.  There are a great number of things that TSIG does not 
do by design.  Verifying zone content is one of them.  Others are (in no 
particular order):

Making coffee
Tying my shoes
Negotiate SSL connections

TSIG does a great job at what it is designed to do (imho).

However, if you are interested in interoperation in a Windows environment 
for DDNS updates, you may want to look at this:

Specifically, skip to the seciton on "DNS Standards for Secure Dynamic 



> But otherwise?
> (In case it matters, we currently have a test setup where TSIG is used 
> "allow-transfer {}" and "allow-notify {}".)
> Benjamin Walkenhorst

More information about the bind-users mailing list